I met a problem while using wireshark, which was that i only wanted to crawl the data package of HTTP by setting a filter, but when i input HTTP in filtering condition as setting the network card, why it showed red meaning the setting was wrong, but input TCP etc. , it showed right. please tell me what is the reason. Though filtering condition can be set to be tcp port 80, it can only crawl the HTTP passed the 80 port. If some HTTP do not pass the 80 part, how to crawl it? asked 20 Dec '12, 22:52 jun edited 20 Dec '12, 23:07 |
One Answer:
the reason is already explained in your other question with the same content. I'll repeat it for you: You cannot use http as a capture filter, as that is not valid libpcap filter syntax. whereas tcp is a valid filter. See here: http://www.manpagez.com/man/7/pcap-filter/ Please use this filter instead:
Wireshark needs a criteria to identify a protocol during the capture phase. That criteria is usually the protocol and the port (80, 3128, 8080, etc.). So, if you want to capture HTTP with libpcap, regardless of the port, you can only try to identify the usual HTTP request commands in the tcp payload. Looking for 'GET ' in the payload:
Looking for 'POST' in the payload:
Explanation:
So, if you want to look for all HTTP commands, you need to combine several of these filters.
Replace xxxxx with the filters for HEAD and other HTTP commands. IMPORTANT: There are some problems the most important problem
other problems
So, if you need the whole HTTP payload for all HTTP connections, regardless of the port, you cannot do that with libpcap filters (Wireshark capture filters). So, you can only capture all data and later use display filters to extract only HTTP sessions. A possible alternative would be one of these commands:
However, you cannot write that data into a pcap file (-w not supported together with -R), so you need to analyze the output of tshark with other tools than Wireshark. HINT: tshark will also not detect HTTP on ports other than the default port list of the HTTP dissector: 80,3128,3132,5985,8080,8088,11371,1900,2869 !! If you tell us more about your plans (why do you need to capture HTTP payload (regardless of the port), we might be find a different solution. Regards answered 20 Dec '12, 23:23 Kurt Knochner ♦ edited 21 Dec '12, 10:45 |